Cyber Incident Victim: Neutralinojs
Date:
Mar 2026
Location:
—
Summary
North Korean threat actors have been running a fake job interview scheme that tricks developers into cloning repositories containing malicious Visual Studio Code tasks, which execute when the project is opened and propagate further when victims commit the code to GitHub. Trend Micro’s analysis revealed hundreds of compromised repositories, over five hundred malicious VS Code task configurations, and dozens of commit‑tampering tools, with infection markers found in the codebases of organizations such as DataStax and Neutralinojs.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The campaign, referred to as the 'Contagious Interview' by Trend Micro, involves a North Korean threat actor tracked as Void Dokkaebi, also known as Famous Chollima, who poses as a recruiter from cryptocurrency and AI firms to lure developers into fake job interviews. During these interviews, victims are asked to clone a code repository and review or run it as part of a technical assessment. The repository contains malicious Visual Studio Code workspace tasks that execute automatically when the project is opened in VS Code and the workspace trust prompt is accepted. Once executed, the malicious code installs remote access Trojans and other malware, and because the .vscode folder is hidden by default in GitHub commits, the infection propagates to any subsequent developer who clones the repository and accepts the trust prompt, creating a self‑propagating chain.
In March alone, Trend Micro identified more than 750 infected code repositories, over 500 malicious VS Code task configurations, and 101 instances of the commit‑tampering tool used by Void Dokkaebi. Repositories belonging to organizations such as the data management company DataStax and the Java application provider Neutralinojs were found to carry infection markers, indicating that their code bases had been compromised as part of the supply‑chain spread. The infection enables attackers to exfiltrate sensitive data such as cryptocurrency wallet credentials, signing keys, and access to CI/CD pipelines and production infrastructure from compromised developer environments. Each compromised developer seeds new repositories with the infection vector, turning every new victim into a potential distributor of the malware.
The abuse of the interview‑based technical test has been observed since at least 2023, with Void Dokkaebi evolving its tactics beyond the initial lure to incorporate the worm‑like VS Code task mechanism. Trend Micro’s analysis highlighted the scale of the campaign and the specific artifacts linked to the actor, providing visibility into the infection markers present in affected repositories. The ongoing nature of the threat means that the compromised repositories continue to serve as vectors for malware distribution until the malicious tasks are detected and removed.